Loading...

Protecting Deep Neural Networks Against Black-box Adversarial Attacks

Farshadfar, Elahe | 2023

92 Viewed
  1. Type of Document: M.Sc. Thesis
  2. Language: Farsi
  3. Document No: 56284 (19)
  4. University: Sharif University of Technology
  5. Department: Computer Engineering
  6. Advisor(s): Jalili, Rasoul
  7. Abstract:
  8. Recent advances in Machine Learning and specially Deep Learning, have caused a dramatic increase in the use of these algorithms in different applications, such as sickness diagnosis, anomaly detection, malware detection, and etc. Since training deep neural networks requires a high cost in terms of both gathering loads of labeled data and computing and human resources, deep learning models are a part of an organization’s intellectual property and so, the importance of securing these models is increasing. One of the most important types of attacks that compromises the security of deep neural networks is black-box adversarial example attack. In adversarial example attacks, the adversary attempts to ersuade the victim model into making a mistake in its so called classification task, by generating some kind of input that has a little bit of crafted noise called perturbation, compared to a normal input. In the black-box threat model, it is assumed that the adversary has no access to the victim model’s parameters aka weights; and can only send queries to the mentioned model and receive the answers corresponding to them, through a user interface. There are two main methods for creating black-box adversarial examples; Surrogate model based adversarial examples and Query based adversarial examples. In this research, we will focus on black-box adversarial attacks, specially the query based type and defense methods proposed against them, decreasing the success rate of the adversary in performing query based adversarial attacks, and increasing the cost of fulfilling such attacks, by introducing a novel defense method called Divergent Twins Fencing (DTF), which utilizes two subtly different models in order to defend against such attacks. The evaluation criterion leveraged for assessing the proposed defense method introduced in this study, is measuring the success rate and average number of queries required for crafting adversarial examples, by two of the strongest attack methods presented in recent researches, confronting our proposed defense, and analyzing its functionality compared to its rival defense; which is one of the most important and strongest defense methods in the literature against the aforesaid attacks
  9. Keywords:
  10. Deep Neural Networks ; Information Security ; Machine Learning ; Adversarial Example ; Black Box Adversarial Environment ; Divergent Twins Fencing (DTF) ; Privacy Preserving ; Model Extraction Attacks ; Query-Based Attack

 Digital Object List

 Bookmark

No TOC